Macros big again with cybercriminals

Distributors

Up to a year ago, most phishing emails were all about tricking users into clicking on malicious links that led to malware downloads. Starting last fall, however, the use of attachments increased eight-fold, and that increase has persisted to this day, according to a new report from Proofpoint.

Attachments were barely on the radar at the start of 2014, but began slowly picking up in the spring, with growth accelerating in the fall. By the end of the year, phishing emails were evenly divided between URLs and attachments. Then URL use declined at the start of this year, and the use of attachments continued to climb, to the point where they were outnumbering URLs four-to-one by April.

And the trend seems to be accelerating. According to Proofpoint, there were 56 different campaigns that used macros to deliver the Dridex Trojan, sometimes delivering several million malicious emails in a single day.

There were two reasons for this, according to Kevin Epstein, vice president, advanced security and governance at Proofpoint. Macro writers got better at evading security mechanisms, and drive-by downloads became harder to do.

To successfully deploy malware via a browser download, the criminals has to discover a bug in the browser and write code to take advantage of that bug.

"It's not cheap or easy to find these flaws," Epstein said.

Plus, once the first malware campaign hits, everyone learns about the flaw, it gets fixed, people install the patches or updates, and the window of opportunity for the criminals narrows dramatically.

That's not the case with macros, however.

Despite all the training efforts, users continue to open phishing emails and click on attachments.

According to a Proofpoint report, users open 10 to 20 percent of all phishing emails, and click on one out of every 25 phishing attachments they receive. That's a success rate of around 4 percent -- double the success rates of legitimate advertising campaigns, said Epstein. That's because criminals have more tricks they can use than real companies.

"They're not bound by ethical constraints. they can spoof your friend's email address, or have an enticing subject line," he said.

Plus, attackers typically don't respect anti-spam legislation and will send out millions of emails at a time. With a 4 percent success rate, that translates into 40,000 downloads per million emails.

"If I initiate one successful bank transfer out of that, I'll have paid for my campaign times 10," he said. "The math works in their favor."

The attackers carefully track both their download rates and their attachment open rates, he said, and continually adapt their email content for maximum effectiveness.

Most recently, he said, those are very straightforward emails pretending to be from an electronic fax or email system, followed by invoices or financial transfer instructions.

When opened, the macros only activate when the user clicks on something in the document -- to see an enlarged version of a table, for example. That way, Epstein explained, they evade sandbox-based security.

Even if the user has macros disabled, they will regularly approve an override out of habit, he said.

"The weakest link, again, is us," he said.

The macro then installs a new piece of malware, usually the Dridex trojan, which quietly monitors the user's browsing history and steals banking credentials.

To battle this threat, Epstein recommends upgrading to the latest gateway security technology if the current system was installed more than a couple of years ago. And, in addition to initial protection, invest in targeted attack protection and threat response technologies, he added, for when malware does slip through.

ARN Distributor Directory

ARN Vendor Directory

Slideshows

​Inside the new HP Customer Welcome Centre in Sydney…

HP unveiled its new Customer Welcome Centre (CWC) in Sydney this week, following on more than a year after the vendor opened the doors of its Experience Centre in Melbourne (MEC). The new space offers on-site HP technicians and visiting channel partners the ability to reconfigure equipment and put together tailored solutions based on the needs of individual end clients or target vertical markets. The centre can also be booked by customers and partners for meetings, events, workshops, seminars, and training. Photos by HP.

Zscaler Australia toasts the channel at Xmas drinks

Zscaler recently hosted its partner update and Christmas drinks event in Australia where more than 20 partners attended the event at the QT hotel in the Sydney. The event provided a forum for the company to update its Australian partners on the company's strategy for cloud security in the year ahead. It was also a great opportunity for the company to introduce Sean Kopelke as country manager for A/NZ. The event ended with Christmas drinks and a celebration of momentum gained in 2016.

IN PICTURES: ​Nutanix X Tours

Nutanix recently held two ‘X Tours’, which brought the company’s flagship event .NEXT to Brisbane and Melbourne. Customers and partners got a firsthand look at the new era of IT and exposure to the potential of the Nutanix Enterprise Cloud platform. Both events featured key speakers both from Nutanix and its partners.

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Related Whitepapers

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.